Whistleblower to Sue Oregon Department of Education

Photo credit: Nick Youngson (CC BY-SA 3.0)

Oregon Public Broadcasting reports that the former chief information officer for the Oregon Department of Education (ODE) is suing claiming ODE suspended and moved to terminate her because of her whistleblowing about the department’s data collection efforts and requests for access that violated federal privacy laws.

Rob Manning for OPB writes:

Former CIO Susie Strangfield resigned last May after being suspended for months while state officials investigated her. OPB previously reported that the state’s investigation included unusual accusations — for example, that Strangfield kept her earbuds in when she walked with coworkers and occasionally raised her voice with colleagues.

Strangfield suspected her suspension and subsequent moves to have her terminated were not about the conduct and project management questions that her attorneys called “frivolous.” Instead, she believed that top state officials forced her out because she raised privacy and security concerns about a massive database the state is building with records on millions of Oregonians, many of them children.

Strangfield’s attorneys filed a tort claim notice, essentially a warning that she intends to sue, alleging Strangfield was discriminated and retaliated against, in part for blowing the whistle on the database’s shortcomings.

Manning reported back in August about her complaint about Oregon’s statewide longitudinal database system (SLDS) and she was not the only person to express concern:

Officials in school districts across Oregon said they share Strangfield’s concerns about protections for student privacy and security, though they declined to speak on the record to preserve relations with ODE and the Chief Education Office. Multiple analyses from the U.S. Department of Education also laid out security concerns with how Oregon education officials handle data.

Worries came from others at ODE, too.

“One thing I want to be clear about — it wasn’t just Susie who had concerns,” said Amy McLaughlin, the supervisor of ODE’s information security team until she left in 2016. “I had concerns; my team had concerns about making sure that we were in compliance with FERPA.”
FERPA is the federal law that prohibits education institutions from sharing data on individual students, without documented research or audit plans.

Oregon parents and lawmakers should be concerned. 

Paper and Pencil Test Administration Is Not Impacted By Cyberattacks

Last week, seven states who contract with Questar for their statewide computer-based assessments were subject to a cyberattack.

The Rochester (NY) Democrat & Chronicle reported:

New York was one of seven states earlier this week whose student tests were hit by what was reportedly a “deliberate attack” on the computer system operated by Questar, an outside vendor.

On Tuesday, New York was one of the states whose students in grades 3-8 were taking computerized English tests, but were interrupted by what the Tennessee education commissioner called a “cyberattack.”

New York education officials confirmed Thursday that its computerized exams suffered the same problems Tuesday as other states, but Questar — the Minneapolis-based company that administers the tests — has yet to detail the cause of the problems.

The latest issues came after computer problems with the tests last week.

“The same issue that affected other states caused the system in New York to experience sporadic technical issues at a small number of schools on Tuesday morning,” Emily DeSantis, spokeswoman for the state Education Department, said in a statement.

“Questar confirmed that the origin of the issue was external to its servers. Questar reports there is no indication that any data from New York was accessed at any time. Testing resumed Tuesday after the system was reset.”

We’ve been concerned about computerized testing and its accompanying data security issues. Paper and pencil tests are simply more secure. They also will not face the possibility of disruption because of a cyberattack. Now if they upload scores and student information in an online database they still pose a data security risk, but they don’t have to.

Simply put there are far, far fewer problems with pencil and paper tests.

Who Is Surprised Hackers Are Targeting Schools?

CNN recently reported that the U.S. Department of Education warned about hackers targeting schools.

The U.S. Department of Education is now warning teachers, parents, and K-12 education staff of a cyberthreat targeting school districts across the country.

So far, at least three states have been targeted by the extortion attempt from hackers asking schools to give them money or the group will release stolen private records, according to the department.

“In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received,” the department wrote in an advisory this week.

Bradshaw, the superintendent of schools in Columbia Falls, Montana said a hacking group broke into multiple school servers and stole personal information on students and possibly staff. He said after the threatening messages came, hackers asked for ransom.

In a ransom note sent to a number of Columbia Falls school district members and released by the county’s sheriff’s department, the hacking group called the Dark Overlord threatened the district and demanded up to $150,000 in bitcoin to destroy the stolen private data.

Gee, with all of the student data mining and storing those records electronically who is surprised by this development?

Not us.

The U.S. Department of Education made the following suggestions for school IT staff:

IT Staff at Schools / Districts are encouraged to protect your organizations by

  • conducting security audits to identify weaknesses and update/patch vulnerable systems;
  • ensuring proper audit logs are created and reviewed routinely for suspicious activity;
  • training staff and students on data security best practices and phishing/social engineering awareness; and
  • reviewing all sensitive data to verify that outside access is appropriately limited.

 

 

 

One suggestion noticeably missing….

Stop collecting and storing student data where it can be hacked.

Skipping Down the Bipartisan Path Toward Big Data

Photo credit: Rob Crawley (CC-By-2.0)

Comedian George Carlin once observed that “the word ‘bipartisan’ means some larger-than-usual deception is being carried out.” This has certainly been the case in Congress recently, especially on education issues (case in point: the Every Student Succeeds Act, in which the Republicans proved they can “govern” by giving the Obama administration basically everything it wanted). Now congressional Republicans led by Speaker Paul Ryan are skipping down the bipartisan path yet again on the issue of Big Data and lifetime citizen surveillance.

Why do Republicans sometimes embrace the very worst schemes of the totalitarian Left? Can they not think through the implications of what they’re endorsing? In this case, the implications are extraordinarily dangerous to the foundational American principles of individual liberty and self-determination.

The vehicle for imposing expanded citizen surveillance is a new federal panel called the Commission on Evidence-Based Policymaking. The Speaker worked with Senator Patty Murray (D-WA) on the legislation to create the Commission, which “is charged with reviewing the inventory, infrastructure, and protocols related to data from federal programs and tax expenditures while developing recommendations for increasing the availability and use of this data in support of rigorous program evaluation.”

The appeal of this Commission to “conservatives” is that it will recommend ways to evaluate federal programs and see which ones work and which are a waste of money We need a commission for this? If we just assume all federal programs are a waste, we’ll be right at least 95 percent of the time. And the federal government routinely ignores research, such as the massive evidence that Head Start is useless, that doesn’t support its preferred policies.

But “program evaluation” is the excuse. And the basis of the Commission’s work will be expanded sharing of personal data on American citizens. In a free society, that’s a price too high to pay.

The authorizing statute makes it clear that the Commission must explore new and exciting ways of sharing personal citizen data. The Commission is directed to:

  • “determine the optimal arrangement for which administrative data on Federal programs . . . may be integrated and made available to facilitate program evaluation, continuous improvement, policy-relevant research, and cost-benefit analyses by qualified researchers and institutions . . .”;
  • “make recommendations on how data infrastructure, database security, and statistical protocols should be modified to best fulfill” these objectives;
  • “consider whether a clearinghouse for program and survey data should be established and how to create such a clearinghouse”;
  • determine “which survey data [this] administrative data may be linked to, in addition to linkages across administrative data series . . .”;
  • determine what incentives may facilitate interagency sharing of information to improve programmatic effectiveness . . .”

Although the statute mentions protecting privacy and data-security, its general thrust is to determine how the federal data troves can be shared among various agencies and with researchers.

The composition of the Commission is likewise designed to reach the desired goal of increasing disclosure of personal data. Of the fifteen commissioners (appointed by the President, the Speaker, and the House Minority Leader), only five are to be “expert[s] in protecting personally-identifiable (sic) information and data minimization.” The rest are to be researchers and program-administrators – people whose professional lifeblood is access to data, and who will reliably advocate for fewer restrictions on that access.

One of the Commission’s hot-button issues is whether to allow a federal student unit-record system. A unit-record system would enable the federal government to collect personally identifiable information (PII) on individual higher-education students and link that data to lifelong workforce data. Essentially, it would allow government to track individuals throughout their lives by linking their education to their employment outcomes.

What’s wrong with a unit-record system? For one thing, it would suck all post-secondary students into a massive federal database, without their consent or even their knowledge, merely because they enrolled in college. For another, it would inevitably burst all boundaries to include any data that might conceivably be connected to education – employment, health, military service, financial status, criminality — world without end, amen. And this ever-expanding dossier would be permanent.

But surely the government can be trusted to protect this data. Right. The U.S. Department of Education (USED) has been found shockingly lax in protecting the enormous amount of sensitive PII it already has, primarily through its office of Federal Student Aid. After a hearing uncovered the practically non-existent data-security at USED, Rep. Jason Chaffetz (R-UT) observed that “almost half the population of the United States of America has their personal information sitting in this database which is not secure.”

But security aside, the compilation of enormous amounts of personal data on American citizens fundamentally changes the relationship between the individual and government. It has an intimidating effect on the individual – even if the data is never used. This is especially true when the collector wields the force of law. A citizen who is afraid of what the government has on him is a citizen who will be loath to challenge that government.

Because such surveillance and tracking is (or should be) anathema in America, Congress wisely prohibited it in the Higher Education Act. But goaded by special-interest vultures well-funded by such rogues as the Bill & Melinda Gates Foundation, Congress is – on a bipartisan basis – weakening.

An early sign was introduction of the Student Right to Know Before You Go Act, which would allow a unit-record system with the excuse of informing prospective college students about the earnings of particular colleges’ graduates. This surveillance and tracking bill was co-sponsored by Sen. Marco Rubio (R-FL), whose family, you may recall from the campaign, is from Cuba. CUBA, for crying out loud. How can someone from Cuba not realize the dangers of the government’s tracking individuals throughout their lives?

And now we have the bipartisan Commission to produce a glossy report recommending repeal of the unit-record ban in service of research and “consumer information.”

On October 21 the Commission first heard testimony from an array of “stakeholders,” all but one of whom urged opening up citizens’ PII for more research, analysis, and tracking. Yes, they conceded, we must protect privacy, but it’s imperative that greater and more accessible databases be created so that the government can better help citizens run their own lives.

Parent activist Cheri Kiesecker has compiled a valuable compendium of the testimony and agendas of these witnesses. For example, the American Statistical Association bemoaned the bother of having to go before institutional review boards to justify research on unsuspecting citizens. The representative of the Workforce Data Quality Campaign confided that current restrictions sometimes force stakeholders to use “non-standard processes, [to] go through personal relationships or particular capacities within agencies at particular times.” According to this witness, federal bureaucrats are already giving their buddies access to restricted data. And we’re going to increase the personal data these criminal bureaucrats have access to?

Most of the data-mongers made it clear they want much more than just college students’ records linked to workforce data. Particularly blunt about this was the witness from Booz Allen Hamilton (former employer of Edward Snowden), which specializes in predictive intelligence. His company, he said, wants a centralized federal database from every conceivable federal source. “For example,” he said, “eligibility and participation tracked by the Social Security Administration – when combined with taxpayer data and tax subsidies from the IRS, survey data from the U.S. Census Bureau, and data from other agencies, such as HHS and HUD – could exponentially . . . enhance our potential to draw insights that could not have been derived before.”

No kidding. Compared to this vision, the NSA database is a filing cabinet.

The lonely witness who opposed this well-funded propaganda onslaught was my colleague Emmett McGroarty of American Principles Project.  McGroarty emphasized the intimidating effect that governmental compilation of citizen dossiers has on supposedly free individuals. “Our republic rests on the idea that the citizen will direct government. That cannot happen where government sits in a position of intimidation over the individual.”

The most recent Commission hearing, held on March 13, featured a federal bureaucrat who pushed for a fundamental culture shift in government. She argued that we need a “Yes, unless” expectation of data-sharing among federal agencies – in which all bureaucrats err on the side of data-sharing and “recognize the risks of failing to share data.” And, she advocated, the federal government should help states harmonize all their databases across different organizations, “with capacity to roll up to a national level.” Thus could we achieve data Shangri-La – all states sharing citizens’ personal data with each other and with the feds.

The dangers of such a wellspring of personal data are apparent from a recent Washington Post article about China’s grand plan for data-use. Though no one is (officially) contemplating this type of thing here, the totalitarian leanings of too many in government should give us pause. The report begins:

Imagine a world where an authoritarian government monitors everything you do, amasses huge amounts of data on almost every interaction you make, and awards you a single score that measures how “trustworthy” you are.

In this world, anything from defaulting on a loan to criticizing the ruling party, from running a red light to failing to care for your parents properly, could cause you to lose points.

And in this world, your score becomes the ultimate truth of  who you are – determining whether you can borrow money, get your children into the best schools or travel abroad; whether you get a room in a fancy hotel, a seat in a top restaurant – or even just get a date.

This is the “social credit” system that China plans to implement by 2020. “The ambition is to collect every scrap of information available online about China’s companies and citizens in a single place – and then assign each of them a score based on their political, commercial, social and legal ‘credit.’”

This system would harvest all online interactions and combine them with government data — court, police, banking, tax, education, and employment records. Can we see parallels with the massive federal database advocated by some witnesses at the Commission hearings?

Like our federal officials, the Chinese government offers a plausible reason for its Big Brother plan. With the new system, the government argues, it will be able to detect and punish “companies selling poisoned food or phony medicine, to expose doctors taking bribes and uncover con men preying on the vulnerable.”

And in alignment with the mushrooming number of “public-private partnerships” in the U.S., private companies in China are setting up credit databases that grade citizens on their behavior and dole out favors (such as more efficient car-rental) based on their scores.

One American lawyer working in China warns that if the government can overcome the technological challenges of establishing this system, it would wield extraordinary power to keep people “in line.” Imagine how social-media posts that criticize the government would torpedo a citizen’s score. This lawyer sees the scheme as a technologically turbocharged Cultural Revolution.

Would this happen in America if Congress established a central database? Unlikely – for now. But with so many well-funded “stakeholders” straining at the bit to get access to personal citizen data, for uses limited only by their own imaginations – and with so many of them openly advocating increased surveillance and tracking — it’s virtually certain we’ll head down a road that would make our founders shudder.

Currently, federal data resides in “silos” – education data related to education, IRS data related to income and taxes, Medicaid/Medicare data related to healthcare, etc. – that are in most respects separate from each other.  Contrary to the arguments of the Commission’s witnesses, this isn’t a problem – it’s a good thing. It is a check on the natural tendency of centralized government to overstep boundaries and increase its power. We knock down the walls of these silos at our peril.

“Conservative” politicians ought to understand this instinctively. It’s time for free-born American citizens to remind them.

Alabama Workforce-Data Bills Threaten Student, Family Privacy

Photo credit: Jim Bowen (CC-By-2.0)

What with manipulation of currency and theft of jobs, China is held in fairly low repute, especially down South. But some Alabama legislators seem enamored of at least one part of the Chinese system – the one that compiles enormous amounts of data on citizens, beginning when they’re toddlers and continuing through their careers, and swaps this data back and forth among various government agencies for government purposes. One might expect this kind of dangerous nonsense from, say, California, but . . . Alabama?

Parents and citizens are alarmed at two companion bills (SB 153 and HB  97) currently moving through the legislature to create a massive centralized warehouse of education and workforce data. This system would be called ANSWERS, or the Alabama Network of Statewide Workforce and Education-Related Statistics, which would be administered by a new Department of Labor bureaucracy called the Office of Education and Workforce Statistics (the “Office”).

The reach of ANSWERS would be sweeping. Operated by the Office, the system would combine education data (beginning in pre-K) and workforce data to provide information on the effectiveness of educational and workforce-training programs, and to assess “the availability of a skilled workforce to address current and future demands of business and industry.” (The bills don’t explain how the government can predict the “future demands of business and industry”; the Soviet Union tried it, but without much success.) The data could then be analyzed for whatever purposes the bureaucrats come up with, and used for “research” which, if history is any guide, will be ignored if it doesn’t support what the bureaucrats want to do.

How would this work? An Advisory Board would be established to identify the types of data that certain listed governmental entities would have to dump into the centralized warehouse. The statutory (and non-exclusive) list of such data sources includes all education agencies in the state, from pre-school through four-year universities – plus the Departments of Labor, Commerce, and Veterans’ Affairs. So these billions of data points on practically all Alabama citizens would be centralized into one repository to be sifted and shifted by central planners.

But surely the Advisory Board will be constructed so as to protect the interests of children and their parents. Not exactly. Of the 24 members, 22 must be either politicians, bureaucrats, or representatives of specific entities such as higher-education systems. One must represent private industry and know something about data-security (the bills’ only nod to security concerns), and the last shall be a lonely “representative of the public” (not necessarily a parent). The fix, ladies and gentlemen, is in.

The privacy concerns with ANSWERS are staggering. For one thing, although certain proponents have suggested the data would all be de-identified, the bills clearly contemplate the presence of personally identifiable data (by requiring “security clearance . . . for individuals with access to personally identifiable data”). Indeed, the bills specify that the Office would be considered an “authorized representative” under the Family Educational Rights and Privacy Act (FERPA), and the only point of such a designation is to be entitled to receive students’ personally identifiable without parental consent or even notification.

Even if all data were to be de-identified, data can be frequently re-identified – especially when there are hundreds of data points on each individual to enable data-matching. And the bills even specify that the Office is to “link educational, workforce, and workforce training data from multiple sources through quality matching.” In such a vast repository, anonymization will be difficult if not impossible.

No more comforting is the bills’ requirement that the system comply with FERPA and other unspecified privacy laws. Five years ago the Obama administration gutted FERPA by regulation, thus enabling almost unlimited disclosure of personally identifiable student data as long as certain terms are used to justify the disclosure. Do the bills’ sponsors not know this? If not, what are they doing writing legislation that relies on FERPA “protections”?

The bills require no particular system of data-security, leaving that up to the Office. But the Office will have an unenviable task, given that this wealth of extremely sensitive information (including student education data, Social Security numbers from the Labor Department, family income information from student-loan programs, and on and on) will be conveniently assembled into one neat package and therefore made enormously attractive to hackers. One might as well assemble all the crown jewels of Europe into one room and hope jewel thieves don’t notice.

If enacted, ANSWERS would be among the most intrusive longitudinal data systems in the country – only 16 states and D.C. have such an Orwellian system. But most Alabama parents understand that the government has no right to collect highly personal data on their children, or on adults for that matter, and give it to other agencies to track their journey through the workforce and through life. It is none of the government’s business. One would have expected Alabama officials to understand this as well.

An equally fundamental, and troubling, aspect of this contemplated data repository is its adoption of the statist “socialization,” workforce-development philosophy of education. Traditional education in America has been designed to develop each individual to the full extent of his talents, to expose him to the best of human thought; statist education is designed to train him to be a cog in the economic machine. Only if the State adopts the latter philosophy does it need a data repository to track citizens and see how the training is working out.

Fortunately, Alabama State Superintendent Michael Sentance has a strong history in a true educational system rather than a workforce-training system. His experience as Secretary of Education in Massachusetts back when that state educated children better than any other state in the nation should prepare him to recognize the dangers of the ANSWERS network.

In public statements so far, Sentance has focused on the critical problems with data security. The parents of Alabama students are counting on him to go further – to reel in the dangerous inclination of the all-powerful State to collect data on free-born citizens and use it to analyze them as though rats in a laboratory. If Sentance comes out against ANSWERS, that ill-advised scheme will probably go down. Alabama is not China. Supt. Sentance can ensure that it doesn’t become so.

Cyber Attacks, Another Problem for Online Testing and Data Storage

Photo credit: Bartmoni (CC-By-SA 3.0)

Photo credit: Bartmoni (CC-By-SA 3.0)

Some news out of Rhode Island caught my eye today. A school has to put off its PARCC testing because of a cyber attack they experienced.

WPRI Channel 12 reports:

Warwick school officials said a cyber attack has led them to postpone a standardized test for the second straight day in two city high schools.

In an email and robocall to parents, the school department said the cyber attack targeted the computer networks at both Pilgrim and Toll Gate High Schools.

They were also postponing testing today so they could further secure their networks.

You don’t have this issue with paper tests. Also any school or state that stores their student data online puts that data at risk.

Cogs in the Machine: Big Data, Common Core, and National Testing

imagePioneer Institute released another White Paper by Emmett McGroarty (Director of APP Education, American Principles Project), Joy Pullmann (managing editor of School Reform News and Research Fellow, Heartland Institute), and Jane Robbins (Senior Fellow, American Principles Project).

Their synopsis: New technology allows advocates for education as workforce development to accomplish what has long been out of their reach: the collection of data on every child, beginning with preschool or even earlier, and using that data to track the child throughout his/her academic career and his/her progression through the workforce. This paper explores the many initiatives that the federal government has worked with private entities to design and encourage states to participate in, in order to increase the collection and sharing of student data, while relaxing privacy protections. The authors offer recommendations to protect student privacy, including urging parents to ask what kinds of information are being collected on digital-learning platforms and whether the software will record data about their children’s behaviors and attitudes rather than just academic knowledge. If parents object to such data-collection, they should opt out. The authors also urge state lawmakers to pass student privacy laws, and they recommend that Congress correct the 2013 relaxation of FERPA.

You can read it below or download it here.

Kentucky Bills Filed to Stop Common Core and Next Generation Science Standards

Richard Innes of The Bluegrass Institute informed me that there are two bills that have been filed related to the Common Core State Standards and Next Generation Science Standards.

The first bill, Kentucky House Bill 215 calls for dropping the Common Core State Standards and Next Generation Science Standards, reasserts state sovereignty over education, and requires better data security for education records.

You can read the bill below:

 

The second bill, Kentucky House Bill 5, has wider support and it calls for tightened data security for all state agenecies.

You can read the bill below: